European data privacy regulation – what makes “personal data”?

Background

In Europe, the first data privacy considerations were brought to the European Council’s attention in 1980 as “The Organization for Economic Co-operation and Development” issued recommendations in this respect. In the document “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data” OECD released seven principles governing data privacy, and most of them were later included in the Data Protection Directive of 1995. These principles were non-binding from the legal point of view, but in 1981, the European Council issued a treaty enforcing signatories to regulate data privacy accordingly.

As the European Union was founded in 1993, it regulated data privacy through Directive 95/46/EC or the “Data Protection Directive”. The primary purpose of the regulation was to enforce the right to privacy of any European individual and principles aimed to protect people while, at the same time, allowing freedom of speech. Various countries in the EU adopted the Directive, but most of the local implementations did not regulate electronic use. Some countries who did extend the Directive and defined proper controls for data processing in electronic environments were Italy and Germany.

In 2016, Directive 95/46 becomes repealed by Directive 2016/679 which amends some key aspects, including the definition of “personal data.”

What makes “personal data”?

In Directive 95/46

Initially “personal data” covered:

“any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a).

However, in oncoming jurisprudence, the Court of Justice of the European Union, interpreted personal data in a broader way, including aspects related to a person’s professional life as well. Next, and furthermore, even if the data itself is only an opinion of a third party, about a certain individual, it may still be interpreted as personal data.

Example from the “Handbook on European Data Protection Law”:

“Any kind of information can be personal data provided that it relates to a person. Example: A supervisor’s assessment of an employee’s work performance, stored in the employee’s personnel file, is personal data about the employee, even though it may just reflect, in part or whole, the superior’s personal opinion, such as: “the employee is not dedicated to his work” and not hard facts, such as: “the employee has been absent from work for five weeks during the last six months.””

In the General Data Protection Regulation (EU Regulation 2016/679)

The General Data Protection Regulation adds several amendments aimed to update the former directive and enforce it. Among them, there is one regarding the definition of personal data. The new regulation adds “an online identifier” when enumerating the types of information that fall under the scope of “personal information”, clearly moving the scope to the “digital world”. Also, there are new definitions for terms like “personal data breach” and “biometric data”.

Key points to keep in mind regarding the GDPR update:

• Personal data means virtually anything related to a person – online/electronic as well;
• Any controller conducting business in the EU and processing such data is affected, no matter where the actual processing takes place (i.e. outside the EU).
• Companies larger than 250 employees need to have a Data Protection Officer;
• There is an obligation to notify authorities in 72 hours after identifying a data breach;
• There is an obligation to notify affected subjects;
• There are fines of up to EUR 20M or 4% of the revenue in case of noncompliance.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.

Good reading for understanding key concepts and following on various interpretations: “Handbook on European Data Protection law”